Tags: fedora-selinux/selinux-policy
Tags
Allow journald read systemd config files and directories
The commit addresses the following AVC denial:
type=AVC msg=audit(1716124222.645:387): avc: denied { read } for pid=7051 comm="systemd-journal" name="journald.conf" dev="dm-0" ino=3408555 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=file permissive=0
Resolves: rhbz#2281489
Allow postfix smtpd map aliases file
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(05/16/2024 11:58:56.019:602) : proctitle=smtpd -n smtp -t inet -u -s 2
type=MMAP msg=audit(05/16/2024 11:58:56.019:602) : fd=12 flags=MAP_SHARED
type=SYSCALL msg=audit(05/16/2024 11:58:56.019:602) : arch=x86_64 syscall=mmap success=yes exit=139799220453376 a0=0x0 a1=0x1000000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=8078 pid=8866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(05/16/2024 11:58:56.019:602) : avc: denied { map } for pid=8866 comm=smtpd path=/etc/aliases.lmdb dev="vda2" ino=2316284 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file permissive=1
Resolves: RHEL-35544
Add interfaces for watching and reading ifconfig_var_run_t Required by frr. https://gitlab.com/redhat/centos-stream/rpms/frr/-/merge_requests/24 Signed-off-by: Vit Mojzis <[email protected]>
Allow numad to trace processes in user namespace
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/23/2024 18:03:36.617:3479) : proctitle=/usr/bin/numad -i 15
type=SYSCALL msg=audit(04/23/2024 18:03:36.617:3479) : arch=x86_64 syscall=read success=yes exit=169 a0=0x1 a1=0x55cf0c6d4240 a2=0x400 a3=0x0 items=0 ppid=1 pid=3200 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=numad exe=/usr/bin/numad subj=system_u:system_r:numad_t:s0 key=(null)
type=AVC msg=audit(04/23/2024 18:03:36.617:3479) : avc: denied { sys_ptrace } for pid=3200 comm=numad capability=sys_ptrace scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0
Resolves: RHEL-33994
Allow virtqemud read vfio devices
The commit addresses the following AVC denial:
type=AVC msg=audit(04/05/24 17:01:42.433:362) : avc: denied { read write } for pid=8259 comm=qemu-system-x86 name=21 dev="tmpfs" ino=8 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1
Define transitions for /run/libvirt/common and /run/libvirt/qemu These particular changes were applied: - virtlxcd can create the /run/libvirt/common directory with the correct label - virtqemud can create the /run/libvirt/qemu directory with the correct label Resolves: rhbz#2262587
Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
When samba is allowed to access home directory, it sometimes needs to
add watch on the whole home directory to respond to watch requests from
clients (for example from Windows).
Addresses the following denial:
type=AVC msg=audit(1705933921.682:202): avc: denied { watch } for pid=11956 comm="smbd-notifyd" path="/home/test" dev="vda4" ino=912095 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
Resolves: RHEL-14735
Allow keyutils-dns-resolver connect to the system log service
The commit addresses the following AVC denial:
type=AVC msg=audit(1712345086.525:270): avc: denied { read } for pid=5751 comm="key.dns_resolve" name="log" dev="devtmpfs" ino=198 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
Resolves: rhbz#2273707
PreviousNext